octavia
#2

Description

Octavia is an open source, operator-scale load balancing solution designed to
work with OpenStack.

Octavia was borne out of the Neutron LBaaS project. Octavia has become the
reference implementation for Neutron LBaaS version 2.

Octavia accomplishes its delivery of load balancing services by managing a
fleet of virtual machines, containers, or bare metal servers collectively
known as amphorae which it spins up on demand. This on-demand, horizontal
scaling feature differentiates Octavia from other load balancing solutions,
thereby making Octavia truly suited "for the cloud."

Overview

This charm provides the Octavia load balancer service for an OpenStack Cloud.

OpenStack Rocky or later is required.

Usage

Octavia and the Octavia charm relies on services from a fully functional OpenStack Cloud and expects to be able to consume images from glance, create networks in Neutron, consume certificate secrets from Barbican (preferably utilizing a Vault backend) and spin up instances with Nova.

The charm represents this with the following mandatory configuration options:

lb-mgmt-issuing-cacert

lb-mgmt-issuing-ca-private-key

lb-mgmt-issuing-ca-key-passphrase

lb-mgmt-controller-cacert

lb-mgmt-controller-cert

You must issue/request certificates that meets your organizations requirements.

NOTE It is important not to use the same CA certificate for both lb-mgmt-issuing-cacert and lb-mgmt-controller-cacert configuration options. Failing to keep them separate may lead to abuse of certificate data to gain access to other Amphora instances in the event one of them is compromised.

To get you started we include an example of generating your own certificates:

Optional resource configuration

By executing the configure-resources action the charm will create the resources required for operation of the Octavia service. If you want to manage these resources yourself you must set the create-mgmt-network configuration option to False.

You can at any time use the configure-resources action to prompt immediate resource discovery.

To let the charm discover the resources and apply the appropriate configuration
to Octavia, you must use Neutron resource tags.

The UUID of the Nova flavor you want to use must be set with thecustom-amp-flavor-id configuration option.

Bugs

Configuration

(boolean)
If True enables openstack upgrades for this charm via juju actions.
You will still need to set openstack-origin to the new repository but
instead of an upgrade running automatically across all units, it will
wait for you to execute the openstack-upgrade action for this charm on
each unit. If False it will revert to existing behavior of upgrading
all units on config change.

(boolean)
The ``octavia`` charm utilizes Neutron Resource tags to locate networks,
security groups and ports for use with the service.
.
If none are found the default behaviour is to create the resources
required for management of the load balancer instances.
.
Set this to False if you want to be in control of creation and management
of these resources yourself. Please note that the service will not be
fully operational until they are available.
.
Refer to the documentation on https://jujucharms.com/octavia/ for a
complete list of resources required and how they should be tagged.

(string)
Note that setting this configuration option is mandatory.
.
Certificate Authority Certificate installed on ``Amphorae`` with the
purpose of the ``Amphora`` agent using it to authenticate connections
from ``Octavia`` controller services.
.
Note due to security concerns it is important not use the same CA
certificate for both ``lb-mgmt-issuing-cacert`` and
``lb-mgmt-controller-cacert`` configuration options. Failing to keep
them separate may lead to abuse of certificate data to gain access to
other ``Amphora`` instances in the event one of them is compromised.
.
Note that these certificates are not used for any load balancer payload
data.

(string)
Note that setting this configuration option is mandatory.
.
Certificate used by the ``Octavia`` controller to authenticate itself to
its ``Amphorae``.
.
Note that these certificates are not used for any load balancer payload
data.

(string)
Note that setting this configuration option is mandatory.
.
Passphrase for the key set in ``lb-mgmt-ca-private-key``.
.
NOTE: As of this writing Octavia requires the private key to be protected
with a passphrase.
.
Note that these certificates are not used for any load balancer payload
data.

(string)
Note that setting this configuration option is mandatory.
.
Private key for the Certificate Authority set in ``lb-mgmt-issuing-ca``.
.
Note that these certificates are not used for any load balancer payload
data.

(string)
Note that setting this configuration option is mandatory.
.
Certificate Authority Certificate used to issue new certificates stored
on the ``Amphora`` load balancer instances. The ``Amphorae`` use them to
authenticate themselves to the ``Octavia`` controller services.
.
Note due to security concerns it is important not use the same CA
certificate for both ``lb-mgmt-issuing-cacert`` and
``lb-mgmt-controller-cacert`` configuration options. Failing to keep
them separate may lead to abuse of certificate data to gain access to
other ``Amphora`` instances in the event one of them is compromised.
.
Note that these certificates are not used for any load balancer payload
data.

(string)
Repository from which to install OpenStack.
May be one of the following:
distro (default)
ppa:somecustom/ppa (PPA name must include OpenStack Release)
deb url sources entry|key id
or a supported Ubuntu Cloud Archive pocket.
Supported Ubuntu Cloud Archive pockets include:
cloud:trusty-liberty
cloud:trusty-juno
cloud:trusty-kilo
cloud:trusty-liberty
cloud:trusty-mitaka
Note that updating this setting to a source that is known to
provide a later version of OpenStack will trigger a software
upgrade.

(string)
The hostname or address of the admin endpoints created in the keystone
identity provider.
.
This value will be used for admin endpoints. For example, an
os-admin-hostname set to 'api-admin.example.com' with ssl enabled
will create the following endpoint for neutron-api:
.
https://api-admin.example.com:9696/

(string)
The hostname or address of the internal endpoints created in the keystone
identity provider.
.
This value will be used for internal endpoints. For example, an
os-internal-hostname set to 'api-internal.example.com' with ssl enabled
will create the following endpoint for neutron-api:
.
https://api-internal.example.com:9696/

(string)
The hostname or address of the public endpoints created in the keystone
identity provider.
.
This value will be used for public endpoints. For example, an
os-public-hostname set to 'api-public.example.com' with ssl enabled
will create the following endpoint for neutron-api:
.
https://api-public.example.com:9696/

(string)
SSL certificate to install and use for API ports. Setting this value
and ssl_key will enable reverse proxying, point Glance's entry in the
Keystone catalog to use https, and override any certficiate and key
issued by Keystone (if it is configured to do so).

(float)
The CPU core multiplier to use when configuring worker processes. By
default, the number of workers for each daemon is set to twice the number
of CPU cores a service unit has. When deployed in a LXD container, this
default value will be capped to 4 workers unless this configuration
option is set.

Relations
Relations enable services to easily and securely share information with each other.